Linux · Recovery Guide

How to Check for a Rootkit on Linux

Learn to identify the signs of a rootkit infection on your Linux system, understand where to investigate, and confirm their presence safely.

Recognising the Symptoms of a Rootkit

Rootkits are designed to be stealthy, but their presence can often manifest through unusual system behaviour. Being aware of these symptoms can be the first step in detecting an infection.

• Unexpected and persistent high CPU usage, even when no demanding applications are running.
• Frequent system crashes or freezes that are not attributable to hardware issues or known software bugs.
• Unusual network activity, such as unexplained outgoing connections or high data transfer rates.
• Log files that are missing entries, appear tampered with, or contain suspicious, unrecognised activity.
• Changes to file permissions or ownership on critical system files without your knowledge.
• Antivirus or anti-malware software mysteriously failing to update, becoming disabled, or reporting false positives.

Initial Investigation: Where to Look

Knowing where to start your investigation is crucial when you suspect a rootkit. Focus on areas where rootkits commonly hide or leave traces.

• Check for hidden files and directories in critical system paths like /bin, /sbin, /usr/bin, and /usr/sbin using the command ls -la.
• Examine running processes for anything suspicious or unknown using ps aux and correlating them with known legitimate processes.
• Review kernel modules with lsmod for any unfamiliar entries that might indicate a loaded rootkit component.
• Inspect network connections and listening ports using netstat -tulnpa or ss -tulnpa for unauthorised services.
• Look into system logs in /var/log for unusual login attempts, failed commands, or manipulated entries.

Using Standard Commands for Deeper Insight

Even if a rootkit attempts to hide itself, standard Linux commands can often reveal inconsistencies or unexpected information when used carefully.

1. File Integrity Checks: Use rpm -Va on RPM-based systems (like Fedora, CentOS) or debsums on Debian-based systems (like Ubuntu) to verify core package integrity. This can locate altered system files.
2. Process and Network Monitoring: Run lsof -i or fuser -v /dev/kmem to get a detailed view of open files and network connections, which can sometimes bypass rootkit cloaking mechanisms.
3. Listing Hidden Processes: Try ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu to get a comprehensive list of processes and look for parent processes that don't make sense or processes with strange names.
4. Disk Usage Analysis: Use df -h and du -sh * in various directories to spot unexpectedly large or hidden files/directories that might belong to a rootkit.
5. Environment Variable Inspection: Check your system's environment variables with env for suspicious modifications that could redirect commands or load malicious libraries.

Confirming a Rootkit Without Intervention

To avoid alerting an attacker or causing further damage, it's best to confirm a rootkit's presence using tools that run from outside the potentially compromised system.

• Boot your system from a trusted 'live' Linux distribution (e.g., Ubuntu Live USB). This ensures you're running a clean operating system unaffected by any potential rootkit.
• From the live environment, mount your suspicious system's hard drive and use a rootkit detection tool like chkrootkit or rkhunter on the mounted drive. For example: sudo chkrootkit -r /mnt/your_system_root.
• Perform a thorough forensic analysis of disk images created from the compromised system on a separate, secure machine. This allows for in-depth inspection without touching the live system.
• Compare critical system files (e.g., /bin/ls, /sbin/init) from your suspicious system with known clean versions from your live environment or a trusted source.
• Look for evidence of kernel module manipulation or hidden processes that standard tools might miss when run from the live system.